My colleague, Ray Shaw, has pointed out some of the many problems of the Australian Government’s new electronic snooping legislation, the Assistance and Access Bill. But there are a couple of likely results that few (if any) have noticed.
It seems that the Assistance and Access Bill is, as I write, still before the House of Representatives, so we may yet be spared this amateurish farce. Maybe. But if it comes, what are the implications?
The Assistance and Access Bill
Reports suggest that the Assistance and Access Bill will empower the government to require computer and software vendors to have some way of finding out the content of encrypted communications. There are two ways – in theory – that this content could be found out:
- The encryption could be broken.
- Some kind of backdoor could be added to the encryption system so that the encryption doesn’t need to be broken.
Virtually all encryption systems these days use public key encryption. I started to write an explanation of how this works, often involving the difficulty of determining the prime factors of large numbers, but that stuff isn’t needed to see the problem.
The problem for the security services is that the communications of potential malefactors are unbreakably secure. As powerful computers become more powerful, and the ability to brute-force a way in increases, the encryption system can be very easily enhanced to defeat the attack. Add one digital bit to the length of the numbers involved, and you more than double the complexity. Add another bit, and the time taken to break the encryption more than doubles again.
In short, public key encryption systems are invincibly secure. The government can issue all the warrants it wants. It might even be able to force a tech company to assign a team to the task. But the team will not be able to achieve anything, no matter how hard they try. Not every problem in the world has a solution.
Yet governments try, accidentally crushing liberties along the way. In this case, through the Assistance and Access Bill.
Here we get to what the government foolishly thinks is the real solution. That is, it apparently believes that it can require communications software companies to build some kind of backdoor of vulnerability into their software.
Let’s use, say, WhatsApp as our example. WhatsApp promised totally secure communications using end-to-end encryption. If we believe its claims, and no-one has ever seriously disputed them, your WhatsApp message to me may be intercepted by someone along the way, but it can never be read by them.
It seems that what the Australian government wants is for WhatsApp, and all the others, to build in some kind of backdoor to its encryption system. Say, a special duplicate key that can also unlock the contents, should it be served with a warrant.
Now most of the commentary I see about this worries, strangely, about how that might make the system less secure to other, nefarious third parties. Well, sorry, no it wouldn’t. Assuming, that is, WhatsApp could maintain security of the backdoor key, your communications would remain as secure as ever. At least until the government felt suspicious enough about you to get a warrant to break into your communications.
What will happen?
The problem is something completely different.
Let’s say that you are WhatsApp. Let’s say that the government does pass the Assistance and Access Bill. So, the Australian government comes to you next year some time and says: “We insist that you build a backdoor into your app so that when we get a warrant, we can read bad people’s WhatApp messages.”
What do you do?
Well, you could comply. But your entire business depends on everyone believing that WhatsApp messages are utterly secure. So, could you comply but kind of keep the backdoor secret?